Posted
by
samzenpuson Thursday June 13, 2013 @10:35PM
from the protect-ya-neck dept.

Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)"
Update: 06/14 02:58 GMT by U L: If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.

You are better off to just grep for multimedia.org. Then you can see if you are using either repository, and if you need to change it. If nothing shows up, then you might want to consider adding a line for deb-multimedia.org. One subtle thing that a seasoned tech expert learns over time is that searching ' grepping for something a little less specific can sometimes yield far more lucrative results than being (overly) explicit.

They should just put an update to apt in the official repository that doesn't change anything except looking for that in the sources files and replaces it with the new correct one.

No need for a patch to apt just for this. If you're using signed packages only (as most people do), then all of those from the bogus debian-multimedia will be flagged as unsigned or improperly signed. It's simple to avoid using apt-key... 'nuff said.

The point is that you include as an OS update some code that optionally redirects the website. Something that pops up and explains the danger and then allows the system admin to choose what to do.

One of the major reasons for package management and updates isn't to help close security holes in the system. Saying it is outside the domain of package management to ensure the security of the package management system is, frankly, pretty ludicrous. It is indeed the whole point of having one that possible secu

It's possible to add a bit of grep(1) and sed(1) to the apt package to comment out references to debian-multiple.org in the/etc/apt tree.

Honestly, though, this is the responsibility of the owner/sysadmin of the machine. There are dozens and dozens of non-canonical repositories, and Debian Developers can't be responsible for keeping track of all of them. The owner/sysadmin added the 3rd party repositories, and he should be responsible for maintaining them. I

I have a broken shoelace. Should I replace it or just get some brand new Microsoft shoes? I suppose I could wait until the shoes wear out and then replace everything at tge same time, or I could call out that "shoelace flying doctor" company.

Trouble is the art of shoelace replacement died out since everyone has told us it is hard and only for experts.

More accurately: Linux security - if a change you made to the system turns out to be insecure, you have to remove it yourself later. It's not like debian is distributed with such third-party update sites listed in apt.sources.

The Debian community is in fact very concerned by it, but there's very little that we can do. Intrusively hacking the sources.list isn't a nice thing to do. The one to blame is the old owner of debian-multimedia.org, not Debian itself. debian-multimedia.org (and deb-multimedia.org by the way) was non-official anyway, and not supported (and in fact, disliked by the Debian Multimedia team (notice the space instead of the dash...)).

It's not the role of Debian to back-hack the cruft of a sysadmin. If a sysadmin decided to add a non-official repository, it's his responsibility to maintain it. If the non-official repository goes away this way, Debian isn't to blame.

I think the fight over the name, which caused the name change, was a mistake with consequences that could have been predicted.

Absolutely not. All Debian Developers were aware of what was going on, and none thought it would end this way.

You might be aware that there are other sites using the word "debian" in the URL. For example www.debian-administration.org. Though we don't care much about them. But here, we had someone working against Debian, and the way he acted shows the DPL did the right thing, especially seeing how much the owner of the site didn't care for its users.

Even if it's the fault of the sysadmins who messed with their systems, finding a non-intrusive way to help them from getting nailed is in everybody's long term interest (except maybe Microsoft or other non-Linux vendors... and even they want a health Internet). In the worst-case scenario that this domains gets acquired by bad people and users get burned by this, it will make UNIX/Deb look bad, cause harm to various individuals, and potentially even lead to more spam or malware.

Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.

If the individual packages in the repository are signed but the repository as a whole is not, then there is a problem with how the repository system is designed. The list of files on the repository should be signed with the repository's own key.

If the individual packages in the repository are signed but the repository as a whole is not[...]

man apt-key...

I think here, you are mistaking Debian with RedHat... Packages are signed individually by their maintainer. But that is used only to validate an upload to the Debian repository. What is in use by Debian users, unlike on a RPM based system, is the Release.gpg file, which is the signature for the repository. This, in the official Debian repositories, is signed by the FTP masters (and the key used to sign the repository is signed by multiple Debian Developer, all in the web of trust).

The binary packages (*.deb files) are not signed. It's the "Release" file that is signed. It contains checksums of the "Package" files that contain checksums of the "*.deb" files.

Those are probably not checksums, but actually cryptographic hashes. And assuming they are actually cryptographic hashes, then signing the hash or signing the input is pretty much the same thing. You never sign the actual files in the first place (since they are too large to be input into the signing algorithm), you always hash the

The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.

True, having your system chatting with random servers about how it could really use an update isn't a good thing. My point/question was just that, even if you control the domain name the apt sources point to, you can't actually tamper with package payloads without apt freaking out about it, which at least mitigates the damage.

See what I wrote above. This is simply wrong. There's a Release.gpg file which is signed by the FTP masters, and which validates the repository.

1. The bad guys can refuse to tell you about a security update you actually needed, fooling you into thinking you're secure when actually they have an exploit that you were supposed to be updated against but you aren't.
2. The bad guys can trickle you a "bad" update that's been superseded, making your security worse. This is a genuine update, made by (in this case) Debian, but which happened to have some bug in it that you'd rather not have. Real repos may have held this update only for a few hours at some point, or even only on some testing server and not on their main repo at all, but if they're signed then you'll never know once the bad guy repo lies to you about how you ought to download the update.

Please don't spread such non-sense. This can't happen, unless the user choose to dismiss the warnings that apt is shouting...

Specifically the release file is signed. That contains the secure hashes of the package lists files which in turn contain secure hashes of the actual packages. If files don't match the expected hashes apt will refuse to use them. If the release file is unsigned or signed by an unknown key apt will warn the user and ask them if they want to continue.

She said (the actual debian team) he shouldn't use the confusion it causes and people think donating to him is for Debian in general due to the scammy way its worded and fine print...

He said, I'll just dump the original name, then in my nice passive aggressive way, I'll use another name that is going to cause more or less the exact same problem! That'll teach those guys!.

She then had to warn all of her customers because he just let the domain expire and be taken over by someone else for phishing purposes, he is such a considerate guy, she said under her breath.

So basically, the debian-multimedia guy is being an ass by not only making a new nearly equally confusing name, the jack ass let the old one expire immediately so that someone else could pick it up, and in tiny print (wtf is with jackasses making text small, let the browser do its job douche) he puts on his website... that no one visits after the initial hits because they now have the repository in/etc/apt anyway... there he tells of the change...

Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it, this is a known issue and the d-m.o guy is just being an unhelpful ass.

After reading everything, I think d-m.o douche could have been a lot more professional.

He could have been a normal person and just done what debian asked... put a notice on his page saying 'I'm not taking these donations for debian, they are for me!' but instead he didn't want to.

He's essentially trying to scam people into donations unless they carefully read the right parts of his site. Now I'm all for reading the fine print, but when you are intentionally scamming people and trying to skirt around that fact by 'the fine print' so to speak, you're still just a scum back.

This guy, needs to be blacklisted by geeks. No one should give him money, he's not a team player, a bad sport, a jerk, and a scammer. He's a passive aggressive asshole.

Yes, I can get that from reading a couple of his websites and an email thread on the Debian lists.

The issue is the Debian team where demanding things that they could not expect. The maintainer of d-m.o was free to do whatever they wanted which includes maintaining separate versions of packages in Debian proper. They pointlessly demanded that he stop using debian in his domain name which achieved nothing. It did not reduce any confusion, and it did not stop him doing what he was doing before. Worse than that the domain expired and some random other person picked it up.

They pointlessly demanded that he stop using debian in his domain name which achieved nothing.

Not what happened. We asked Christian Marilla (the old owner of debian-multimedia.org) to stop doing things separately, and work with the Debian Multimedia team. He was also asked to stop building packages which are constantly breaking upgrades from one Debian version to the next. But it seems he prefers doing things alone...

Yeah, d.m.o packages do break upgrades, creating extra work and making the system less stable. But then, the official repository does not carry lots of software that are prohibited by US laws... Well, not the entire world is subject to US laws.

Sounds like a good reason to use a distribution that includes such basic functionality in their primary repositories.

Is it even legal to make such a distribution if you happen to live in the United States, Dice's home country? A lot of the multimedia functionality that people expect includes royalty-bearing technology such as MPEG audio and video decoders.

Is it even legal to make such a distribution if you happen to live in the United States, Dice's home country? A lot of the multimedia functionality that people expect includes royalty-bearing technology such as MPEG audio and video decoders.

I'm fairly certain at this point that decoders are cheap or already paid for. I remember someone actually doing it, and I know when I installed Ubuntu 12.04, it asked if I wanted to install closed source binaries for that purpose. So someone paid for the royalties or arr

I'm fairly certain at this point that decoders are cheap or already paid for.

If someone is using Ubuntu to replace a Windows installation that will no longer boot or which will soon be no longer supported by Microsoft, then using the decoders that were paid for with Windows

Not that there aren't ways to do it on Linux - Apple gives away the decoder for free with QuickTime. You don't need an iThing to download iTunes or QuickTime, after all, and if you get the Windows version, not a cent went to Apple to pay for it.

The encoder still costs money ("QuickTime Pro"), and the last time I checked, iTunes was rated "garbage" in Wine.

when I installed Ubuntu 12.04, it asked if I wanted to install closed source binaries for that purpose. So someone paid for the royalties or arranged it to be royalty free.

The notice that I got stated that it might violate patent law to install those packages. So they're probably hosted in a country with no software patents.

The name actually caused real problems for Debian maintainers and users.

Hmmm... well, having scanned through that thread (read it folks, it's not that long), all I can say is that if that's the DPL-approved way of fixing problems, I don't want those idiots anywhere near my plumbing.

Public ultimatums are not an appropriate or effective technique to use on someone you don't have any functional control over.

Reducing what happened with Christian Marillat to only a single thread is deceptive. The issue with his repository breaking upgrades from one version of Debian to the next, and his constant refusal to work within Debian (even though he is a Debian Developer) is all but new.

Reducing what happened with Christian Marillat to only a single thread is deceptive.

Probably. It doesn't change my point.

By forcing a name change, all they've accomplished is to piss off the people who value his service over any breakage that he manages to cause and making him even less likely to give a shit about what the Debian project wants or needs (assuming he could care even less than he already did).

People use his services to solve a problem with the core Debian distro, and apparently he runs his ser

Nobody forced him to change the name. The DPL asked him to stop confusing his users into believing that donations would go to the Debian project. That's very different. And then he twisted it, and changed his domain name, so he wouldn't be bothered. I'm quite sure users will still get confused. Probably that's what he wants.

People use his services to solve a problem with the core Debian distro, and apparently he runs his service well enough that people continue to rely on his stuff. The only way to "get rid of him" is to offer a better solution to the underlying problem, not to play games with names.

Such a better solution (which would be: work more with the Debian Multimedia team, and make his repository not needed anymore, with everything directly available in Debian) have been att

"Force" is maybe a strong word. It was one of the two options given, presented as if it might be undesirable, and it doesn't look like he wasted much time thinking about it.

Such a better solution (which would be: work more with the Debian Multimedia team, and make his repository not needed anymore, with everything directly available in Debian) have been attempted multiple times. Though he didn't seem to care doing that.

The first describes why "unofficial" repositories exist in the first place - So we can install non-stock versions of packages. That breaks dependencies? Hey, the user has to choose to add those to his apt sources, so keep your nose out of it, DPL.

And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP a

/ Glad I've always preferred Slackware. No games, no GNU/purism, no corporate BS. Just a rock-solid distro that stays true to its roots.

That's cool. How about it if Volkerding had to spend all his time addressing bogus bug reports caused by fucked up packages people found on slackware-coolstuff.org?

Debian doesn't have a problem with unofficial sources. Heck, they don't even have a problem with broken packages. They only have a problem with having to spend time resolving bugs that turn out not to be theirs. If it was obvious that dmo wasn't an official repo, there wouldn't be a problem. That's exactly what the name change is trying to addres

And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP at all costs" bullshit, raise your hand? Yeah, thought so.

The issue wasn't only trademark. It was mainly that Debian users are fooled into believing that this was part of Debian, when it was not, and that this repository was breaking things badly.

The problem essentially boils down to people reporting bugs in dmo-packages directly to debian itself. Sometimes in obscure ways so that it takes time to identify the mistake. This puts an unneeded burden on debian developers, when it's reports for software that's out of their control.

All debian wants here is to not take the blame for, and spend unneeded work on resolving issues coming from broken dmo-packages. The risk of that happening decreases if 'debian' in not in the name. One of the bug reports linke

The more popular the package is the better and more arcane the reasoning is the better, hence why Debian has iceweasel while virtually ever single other linux distro has Firefox.

I didn't comment the rest of, because that's silly enough, so I'll comment only that one. The problem with Firefox vs Iceweasel is located at the Mozilla foundation, which refuses that someone uses the name Firefox (and it's logo) if patches are added. Other distributions might just ignore that fact, but Debian cares about licenses and trademarks. If you want this to change, then you are welcome to ask Mozilla to change its trademark policy.

1: Mozilla didn't like the use of the firefox name with the "unbranded" logos and debian considered the copyright license of the "branded" logos non-free.2: Mozilla wanted to be asked for aproval for every patch.

Personally I say kudos to debian for not rolling over to these demands.

Yeah, exactly. Mozilla asking for approval for every single patch is a violation of the Debian Free Software Guidelines paragraph 3 as seen here: http://www.debian.org/social_contract [debian.org] and which every DD has signed off. Mozilla is evil here, not Debian.

Given not everyone will know the repo had been moved and the domain is now registered to new owners, the most sensible approach in this case would have been to post an emergency update through the official Debian repositories, such that if the Debian-Multimedia.org is present, it is automatically removed from any source.list files and replaced with deb-multimedia.org. No harm, no foul.

I agree. If the Debian project wants to cause these possible security problems for stupid trademark/naming issues, then the least they can do is push an update to fix this for all affected users. As it is, they're causing a potential serious security problem for many of their users... and yet, actively doing nothing at all to eliminate the chance of Debian machines getting owned by malicious package installs. I would say that this is a pretty big mistake, on the level of the SSL certificate problem sever

No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.

They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper

He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, thi

I haven't been following this so I don't know. You're not that clear either. First you say that nobody forced him to change the name. Then you say they "clamped down" on the name bit which, well, means they forced him to change the name unless I'm not getting something. It certainly sounds like they forced him to change the domain name given your description except you preface it by saying they didn't - then you say they did. Like I said, you're not helping.

No, you misread. They didn't "clamp down" on the name. You appear to have missed an "if" that was written above. They probably would have clamped down on the name if he had refused to make it clear that donations to him are not donations to Debian. But it never got that far. All they did do was "ask him to stop soliciting donations in a way that made it look like he was doing it for Debian proper." They made a request, that's all they did, and this was how he responded to the request.

"Then if he didn't want to do that, they started clamping down on the name usage in order to..."

The sentence makes no sense so I read it as they started clamping down on the name usage (which is what it says). If he hadn't changed the name then they WOULD have started clamping down? Did they threaten to clamp down on the name usage? If they threatened then it could still be said that they forced him to change his name (it was the only alternative he had if he didn't want to

As for the 'to him' crack, naturally, were you expecting him to take the action least unpalletable to Ernest Spinkmeyer of Walla Walla Washington instead?

As a native English speaker and literate, I see nothing obscure about his solicitation for donations. I can see how some
*might* have been confused when it was debian-multimedia if they didn't read any of the available documentation. What would you have him call the repo? Blotzig4windows?

And he took one of the actions they demanded. I didn't claim it was wrong of Debian to demand it at all.
But it is disingenuous to claim that he took this action with no prompting and even moreso to lay the current
problem (if it even is a problem) at his feet.

The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party

We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.

1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to

The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party

We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.

1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to do so in a secure manner. They are likely to either go to the website on the domain in question to get the key or download it from a public keyserver by it's 32-bit key ID (which are easy enough to collide).

Or, worse still: apt-get install deb-multimedia-keyring as is recommended on the archive's home page.

I'm not sure if they can. The whole reason for that repo is that it contained packages not legal for Debian to distribute in all countries. Doing your fix would imply that Debian endorses and aids this repo.

I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.

If you want current packages, use the unstable repository. Note that it's the repository that's unstable, not the operating system. Every week there are dozens of updates to the repository, but my system never crashes. Sid makes a great desktop or HTPC. Stable is for servers only.